Security and compliance are important to Finix. We are committed to building and maintaining the highest security and compliance standards for our payments platform. This document covers both security and compliance standards and procedures. 

If you have any questions or concerns, please contact Finix at support@finixpayments.com.

PCI compliance 

Finix is certified as a Level 1 Payment Card Industry Data Security Standards (PCI DSS) compliant service provider. Level 1 is the highest form of PCI compliance validation that can be obtained by a service provider storing, processing, and/or transmitting payment card data. As part of our commitment to the PCI DSS, Finix complies with the annual requirement of an independent data security assessment performed by a Qualified Security Assessor (QSA). Our most recent PCI Attestation of Compliance (AoC) is available by request under a signed non-disclosure agreement with Finix.

SOC 2 - Type 2 compliance 

Established by the American Institute of Certified Public Accountants (AICPA), SOC (System Organization Controls) 2 defines a standardized set of risk-based control objectives designed for any Software as a Service (SaaS) company that stores, transmits, and/or processes customer data in the cloud. SOC 2 - Type 2 refers to an auditor’s report that measures the operating effectiveness of a company’s internal controls over a defined period of time. Our most recent SOC 2 - Type 2 report, relevant to the domains of security, availability, and confidentiality of data, is available by request under a signed non-disclosure agreement with Finix.

Secure connections 

Finix uses HTTPS connections for all of our services, including our APIs and Dashboard. Our API endpoints are configured to reject HTTP connections, same as the authentication service, Auth0 for the front-end dashboard. Finix uses a Transport Security Layer (TLS) and Secure Sockets Layer (SSL) to securely transport and transmit data. TLS and SSL are important as they help prevent payment card details and personally identifiable information (PII) from being exposed while in transit over an internet connection.

Encrypt sensitive data at rest

All customer data is encrypted at rest using complex cryptographic algorithms. As an added layer of protection, customer data is encrypted both client-side by Finix and server-side by the cloud-hosted database provider. Sensitive data is never rendered in plain-text and access to encryption keys is restricted to authorized Finix personnel responsible for securing, operating, and maintaining the platform.  

Tokenize payment cards 

Tokenization is the process of replacing sensitive data, such as credit card numbers, with non-sensitive strings of data that can be authenticated, decrypted, and translated by a token provider. When transacting with the Finix Gateway, we tokenize all payment card data and store the actual encrypted card values in a secure PCI compliant vault.

Additional security 

In addition to the procedures and processes listed above, Finix undergoes recurring vulnerability scanning and penetration testing performed by an Approved Scanning Vendor (ASV). All material findings are documented, reviewed, and remediated within 30 days of discovery.

PGP Key

A PGP key is used to encrypt sensitive data such as credit card information. Below is Finix's public PGP key. 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBF5MgIsBCAC57Oov9uf71oWIe63ZoOxxWfZQC2DBnAHFHvhvDJSQl25MSe2g
6+C72baGIfoueJ96Gt6UsB/VKVB5IYNeLcjjpuoEIWUuwnerwmDQVNALMgpSx/CS
Wo4tTcNEflOR8kUrEKhW9I7x/2SjWP+dOlWNe+Ygo34Bb5ukxSevRsFVEUXQ05K4
Jdpk6T5QhRQDBBU5kkc1zhox1ZNyXeEGzmszw1guIxEq02X0jO0BuALQjAFzYYM8
CImOcDnVC4p9vyikrooeb9BYkCiFZILwlB87pw4Rn5nmqHJHT5r00wfoCEEWIcFy
PnhEUlaYt//EQcrZHdLns+pg7lS9EWpQKVMrABEBAAG0N0lUIEFkbWluIChGaW5p
eCBBZG1pbmlzdHJhdG9yKSA8dGVjaEBmaW5peHBheW1lbnRzLmNvbT6JATgEEwEC
ACIFAl5MgIsCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKo+SHbTm//U
WC4IAIM3Y+u0xIHqVDU3tal5MJlUupTTr2yzOxxQAHuqNgF9XP7VsCmJFFK4phvR
olQgF/0LNpFBzoL4GFAXwF70wMiZzoN7Ce/Q4Qikqreu1bfDBxFoFx1KwJM8sYhP
6yci60b3DZhLoHKbem9ylCVegGoU4Qw4f4HImadl49TAug2yAqj4vb1/u+BY+AyT
k6+hWiLKGjFlCllg8nWaeRwv0qGDrMA2aM0lAN1wwVvYAUb3W9pfggbLUfEBL3WT
mVz1wWCdMd5HDwihB4rQl0VARk8nPNgCBU1DrpW3Vb9Qz5TtfMGHrK2PozIF/i95
WGczOVcsqjz4aOJFquEhaCIC9n65AQ0EXkyAiwEIALotw/6/reyaWRd2fwzJ6S5D
f0TvHZk4pxQetaKQTi5l5Qkeo7NTEAh7Eihdt466SD4qyQ0lqnG/xZKJquU+biGB
iX+II2Dcb5ZvaEqoMr5K2ExJ9kfDf3LcEBRzS1nTbDFS3Bb/dErZp5o4U86nHKwD
8Y8j/VroidHw38z2QuMum3N0lLOoJNhZMmEf1hLt0DtQ/KsgVPPRTmoBbUtXulmB
tqgie8U7FH14goMJbTc3+PuFJRe2zC2sUWeAWO0yeEJl8Opuen1Mkh4VP8UhVh+t
Sq+W/opbnwB+rq6Bjv+5cCGJoWuSQKv23/Ptk+GDvH19lwTjGOdJ9Etr54poT4EA
EQEAAYkBHwQYAQIACQUCXkyAiwIbDAAKCRCqPkh205v/1DpACACgZ8ZdCuf+mnx8
gcmQYup5PKnqa+SVkPdR3J6EbA1IqUNpf1DE/kY/h3fUrxwbmarHtSnUUDVjVWuT
J9KzFQDCdihhskZhyH/EvMU3zjrz0oLa4aLpoVhYeBbKqwZCtCq3Aikr1qLwH/5f
IKDEpcZWD/cIkYzrZGcwd3am5siWs4EeRvz6PSIYZ0YRyu2bhnoaoD6Tm+M3dA4E
+L94WOC7zczBRGbzNAiajZu2YQrTOVBFxh2tpi8bMzoxl+pIIeSaRBqOM9KkPL9B
TuXHw5V9WnnlrFovmzVu8qor1o4FXCFiAhPjYnl5B64xvNK/W/D//FLcMqqRWN3Q
WTaBJfND
=gbJg
-----END PGP PUBLIC KEY BLOCK-----